Sudeep's Blog

Disorganized Thoughts in Organized Manner

Bcrypt, Hashlib and Hmac
Steve Huffman's super-amazing course on Web-app development on Udacity, ( link is here...And fyi, this humble blog is a result of diligently following lecture videos/programming tasks), talks about multiple hashing algorithms for hashing critical information (e.g. password). The course introduces three important/commonly used hashing libraries, described in the title of this post. Hashlib is fairly common, and has support for almost all of most common hashing algorithms like MD5, SHA1, SHA32 and SHA256. It is, however, vulnerable to Length Extension Attack HMAC (Hash Based Message Authentication Code) has an added advantage of a secret key, which is also hashed along with actual message. An attack is useless without knowing the secret key. The last library, however, caught my attention, especially because Steve termed it "the best" among all. Some googling led me to this page on python implementation of bcrypt. Now what exactly is bcrypt? Well, bcrypt stands for "Blowfish Encryption". Perhaps the most important feature of bcrypt algorithm is its adaptive modification of key. It starts with a standard key with salt. But modifies part of the key using the message it has already encrypted. This modified key is further used to encrypt remaining part of message and so on. Moreover, this cyclic approach is configurable: Number of message-hash-key-modify cycles can be specified by the user and as a result, hashing time of the algorithm is configurable, while giving stronger and stronger encryption schema. Neat stuff!
Back to Home